CVE-2019-0199 (High) detected in tomcat-embed-core-8.5.16.jar

[mend-bolt-for-github]

CVE-2019-0199 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.16.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /infiniboard/quartermaster/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.16/1318c2a44de53b692cb42021dc3d9a2a185e65a4/tomcat-embed-core-8.5.16.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.16/1318c2a44de53b692cb42021dc3d9a2a185e65a4/tomcat-embed-core-8.5.16.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.5.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.5.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.16.jar (Vulnerable Library)

Found in HEAD commit: 743bd280ef9d3a3127ed7f904cd5dddec872618a

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-04-10

URL: CVE-2019-0199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199

Release Date: 2019-04-10

Fix Resolution: 8.5.38,9.0.14

---

Step up your Open Source Security Game with WhiteSource here